SYNOPSIS

DESCRIPTION

sniffit
is a packet sniffer for TCP/UDP/ICMP packets.
sniffit
is able to give you very detailed technical info on these
packets (SEQ, ACK, TTL, Window, ...) but also packet contents in
different formats (hex or plain text, ...).

sniffit
can by default handle ethernet and PPP devices, but can easily be
forced into using other devices (read the
README.FIRST
and
sn_config.h
files on this subject!)

The sniffer can easily be configured in order to 'filter' the incomming
packets (to make the sniffing results easier to study). The config file (see
sniffit(5)
) allows you to be verry specific on the packets to be processed.

sniffit
also has an interactive mode for active monitoring, and can also be used
for continuous monitoring on different levels.

NOTE

This man page is supposed to be a reference manual. So please read
README.FIRST
first, and use this only for better understanding or for a quick check on
the use of
sniffit

OPTIONS

-v

Shows the version of
sniffit
you are running and exits
(overrides all)

Use
config-file
for the packet filtering. This allows you to be very specific on the
packets to be processed (see
sniffit(5)
for details on the format).
(NOT compatible with: '-t' '-s' '-i' '-I' '-v' '-L')

Record all traffic in
<file>
This file can then be fed to Sniffit with the '-r' option.
(Needs a selection parameter like '-c' '-t' '-s')(NOT compatible with '-i' '-I' '-v' '-L' '-r')

-r <file>

This option feeds the recorded
<file> to sniffit.
It requires the '-F' option with the correct device. Suppose you log a file
on a machine with 'eth0'. When feeding the logged file to
sniffit
, you will need to add '-F eth0' or '-F eth' to the command line. It doesn't
need much explanation that using '-i' or '-I' in combination with '-r' makes
no sense (at this moment).
(requires '-F', NOT compatible with '-R' '-i' '-I')

-n

Turn of IP checksum checking. This can show you bogus packets.
(mind you ARP, RARP, other non-IP packets will show up bogus too)
(compatible with ALL options)

-N

Don't perform any of the build in Sniffit functions. Usefull for only
running a Plugin.
(compatible with ALL options)

Specify the protocols that should be processed (default TCP). Possible
options currently are: IP, TCP, ICMP, UDP. They can be combined.
IP, ICMP, UDP info is dumped to stdout. IP gives ADDITIONAL info on the
IPwrapping around other packets, it is not needed to specify IP for TCP
packet logging.
IP, ICMP packets are not filtered (UDP packets are as of 0.3.4).
(NOT compatible with: '-i' '-I' '-v' '-L')

Force sniffit to use a certain network device.
snifdevice
can be found with
ifconfig
(see
ifconfig(8)).
sniffit
supports ethernet and PPP by default. Read
README.FIRST
for info on forcing the use of other devices.
(compatible with ALL options)

-D tty

All logging output will be send to that device.
(ONLY works with '-i' and '-I')

Use
sniffit
as a monitoring tool and enable different logging modes (
logparam
) The File for logging can be specified in the config file (see
sniffit(5)
) but is
sniffit.log
by default. Different
logparam can be combined.(ONLY works with '-c')

NORMAL MODE

A bunch of
sniflen
initial bytes (default 300) of each connection is logged into a file
x.x.x.x.p-y.y.y.y.o
where 'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the
receiving host (port 'o').

DUMP MODE ('-d' and/or '-a')

Output is dumped to stdout, the packet contents is shown in it's
unwrapped form (the complete IP packet).

INTERACTIVE MODE ('-i' or '-I')

Keys available in interactive mode:

'UP or 'k'

self explanatory

DOWN or j'

self explanatory

F1 or '1'

Enter a host (enter 'all' for no mask) for packet filtering (host that
sends the packets)

F2 or '2'

Enter a host (enter 'all' for no mask) for packet filtering. (host that
receives the packets)

F3 or '3'

Enter a port (enter '0' for no mask) for packet filtering. (host that
sends the packets)

F4 or '4'

Enter a port (enter '0' for no mask) for packet filtering. (host that
receives the packets)

F5 or '5'

Start a program 'sniffit_key5' with arguments
<from IP> <from port> <to IP> <to port>
If the program doesn't exist, nothing is done. Sniffit should be in the
same path as sniffit was STARTED FROM (not necessarely the path sniffit is
stored in) This function is usefull for interactive connection killing or
extra monitoring. A little shell script can always transform the arguments
given and pass them on to other programs.

F6 or '6'

Same as F5 or '5', but with program 'sniffit_key6'

F7 or '7'

Same as F5 or '5', but with program 'sniffit_key7'

F8 or '8'

Same as F5 or '5', but with program 'sniffit_key8'

ENTER

a window will pop up and log the connection, or the connection output
will be send at a chosen device if you used the '-D' option.

'q'

When in logging mode, stop logging. Otherwise, quit.

'n'

Toggle netstatistics. These are sampled at 3 secs, look in the sn_config.h
file to change this.

'g'

Sniffit
is now able to generate some trafic load. Currently this is a 'underdevelloped'
feature with very few options, but it will be expanded a lot.
Currently only UDP packets are generated. When pressing 'g' you will be
asked the source/dest IP/port and how much packets are needed to be
transmitted.
Packets contain the line: "This Packet was fired with Sniffit!

'r'

Reset.. clears all current connections from memory and restarts.

LOGGING MODE ('-L')

Output is saved to
sniffit.log
, unless you have specified some other name in the config file (see
sniffit(5)
).

raw

Log all SYN, FIN, RST packets. This will give you an overview of all
network (TCP) trafic in a 'RAW' way (a connection starting could gives
you at least 2 SYN packets, etc...).

norm

Same as raw, but a bit more intelligent. Unless packets are
transmitted multiple times because of packet loss, you will only get 1
notice of a connection starting or ending. (the packet id
will give you the host that initiated the connection first)

telnet

Sniffit will try to catch login and passwords for this application. (see
telnet(1)
)

ftp

Sniffit will try to catch login and passwords for this application.
(see
ftp(1)
)

mail

Sniffit will try to identify all mail that was logged.

IP ICMP UDP LOGGING

Information on these packets is dumped to stdout. Packet
Filtering options only refer to TCP and UDP packets.
The contents of UDP packets is only shown when enabling '-a' or '-d'.